Security in 'NET

1
Security in .NET
2
What are we to talk about?

• Security A-B-C
• Security on the client
• Evidences
• Policys
• Permissions
• Security on the server
• ASP.NET
• Security on the network
• Cryptography
• Web Service security (will be covered in next
  session)

3
What are we to talk about?

• Security A-B-C
• Security on the client
• Evidences
• Policys
• Permissions
• Security on the server
• ASP.NET
• Security on the network
• Cryptography
• Web Service security (will be covered in next
  session)

4
What is security all about?

• Identification
• Authentication
• Authorization
• Integrity
• Confidentiality
• Non-repudiation

5
Key Semi-Trust Scenarios

• OS security is based on user rights
• CLR security, layered on OS security, gives
  rights to code

6
Verification

• Security enforceable on well-behaved code
• Without verification, arbitrary code can subvert
  security mechanisms
• Verification rules are safe, may falsely reject
• Code is verified to be memory type safe
• Only access objects via well-defined interfaces
• No unsafe casts, no access beyond array bounds,
  etc.
• No stack underflow/overflow conditions
• Verification is great for general code quality
• Verifiability depends on the compiler/language

7
Evidence-Based Security

• Evidence
• Inputs to policy about code
• Extensible by design
• Policy
• Determines what code can do
• Grants permissions to an assembly
• Permissions
• Specific authorizations
• Define a level of access to a resource

8
Evidence Types

• Related to where the code was loaded from
• URL
• Site
• Zone
• Application Directory
• Related to who wrote the code
• Strong Name
• Publisher
• Arithmetic calculation of overall contents
• Hash

9
Hierarchical Policy Levels

• CLR supports multiple, ordered policy levels
• Enterprise common policy for organization
• Machine policy for all users of given machine
• User policy specific to logged in user
• A policy contains
• Code Groups
• Permission Sets
• Policy Assemblies
• Effective policy is the intersection of all levels

10
Code Group fundamentals

• Two linked rules
• What assemblies are members?
• What permissions should they be granted?
• Code groups can be composed by unions

11
Changing Policies

• Changing Policy
• Done by Administrators
• Limit what you trust
• When in doubt omit permissions
• Trust a particular server or a particular strong
  name

12
Assembly Input To Policy

• Assembly may have permission requests
• Minimum, Optional, Refuse
• If unspecified, Minimum Refuse default to the
  empty set, Optional defaults to everything
• Load fails if policy does not grant Minimal
• Assembly is granted
• (MaxAllowed ? (Minimum ? Optional)) Refused
• In the default case (no requests) this reduces to
  MaxAllowed

13
Permissions

• A permission is a set (or subset) of capabilities
• The right to interact with a given resource
• All permissions implement union, intersection,
  and subset operations
• Load time and run time security checks
• Declarative security operations are made by
  annotating source code, appear in metadata
• Imperative security operations are performed via
  object creation and method invocation
• Stack walks guards against Luring attacks
• Overridable with Asserts

14
Stack-walking Semantics
P is compared with grants of all callers on the
stack above M4
15
Assert() can modify stack-walks
16
Permissions Protect Resources

• FileIO
• FileDialog
• IsolatedStorage
• Environment
• Registry
• UI
• Printing
• Reflection
• Security

• Socket
• Web
• DNS
• OleDb
• SQLClient
• MessageQueue
• EventLog
• DirectoryServices
• extensible

Execution, Assertion, Skip Verification,
Unmanaged code, Control evidence, Control policy,
Control principal, Control threads
17
Putting It All Together
Assembly A3
Host
Security Policy
Policy Evaluator
18
Managed Code Execution
DEVELOPMENT
Source code
Assembly Metadataand IL
public static void Main(String args ) String
usr FileStream f StreamWriter w try
usrEnvironment.GetEnvironmentVariable("USERNAME")
fnew FileStream(C\\test.txt",FileMode.Cre
ate) wnew StreamWriter(f)
w.WriteLine(usr) w.Close() catch
(Exception e) Console.WriteLine("Exception"
e.ToString())
Compiler
public static void Main(String args ) String
usr FileStream f StreamWriter w try
usrEnvironment.GetEnvironmentVariable("USERNAME")
fnew FileStream(C\\test.txt",FileMode.Cre
ate) wnew StreamWriter(f)
w.WriteLine(usr) w.Close() catch
(Exception e) Console.WriteLine("Exception"
e.ToString())
19
Extending the Policy System

• Custom Permissions
• App defined authorization for a resource
• Easy integration with policy
• Custom Code Groups Membership Conditions
• Implement new Code Group logic
• Dynamic permission set computation
• Alter default combining logic
• Custom Evidence
• Create embedded evidence (e.g. certifications)
• Evidence from trusted hosts

20
What are we to talk about?

• Security A-B-C
• Security on the client
• Evidences
• Policys
• Permissions
• Security on the server
• ASP.NET
• Security on the network
• Cryptography
• Web Service security (will be covered in next
  session)

21
Security on the server

• Authentication and authorization
• Extensible and customizable
• Authentication scheme transparency
• Simple deployment model
• Support for granular declarative and imperative
  authorizations
• Supports application layer security

22
ASP Architecture
Internet Information Server
ISAPI Filters
ISAPI Extensions
ASP.DLL
Script Execution
ASPScript Engine
Script Code
Script EngineCache
.ASP file
23
ASP.NET Architecture
ASP.NET HTTP Runtime
Modules
Page Handlers
ASPXEngine
ClassInstance
ASP.NET page
Page Class
24
Process Identity

• Windows 2000
• Default is ASPNET (local service account)
• Can also run as System or configured account
  using ltprocessModelgt
• Windows .NET Server
• Uses IIS 6 process model
• Default is NetworkService
• App Pools are configurable, identity is
  configurable

25
Request identity

• Impersonation
• Running under the security context of the request
  entity
• Configurable in ASP.NET
• Enable for ASP compatible behavior

ltsystem.webgt ltidentity impersonate"true"
/gt lt/system.webgt
26
ASP .NET Request Processing

• Per Request Events
• BeginRequest
• AuthenticateRequest
• AuthorizeRequest
• ResolveRequestCache
• AcquireRequestState
• PreRequestHandlerExecute
• lthandler executes heregt
• PostRequestHandlerExecute
• ReleaseRequestState
• UpdateRequestCache
• EndRequest

ASP.NET Page
ASP.NET Service
HTTP Handler
Application
HTTP Module
HTTP Module
Global.asax
HttpContext
ASP.NET Runtime
Host (IIS)
27
Authentication

• ASP.NET is an ISAPI extension
• Only receives requests for mapped content
• Windows Authentication (via IIS)
• Basic, Digest, NTLM, Kerberos, Certificate
  Support
• Leverages platform authentication
• Forms-based (Cookie) Authentication
• Application credential verification
• Supports Microsoft Passport Authentication
• Custom Authentication

28
Microsoft Passport

• Single sign-in across member sites
• Integrated into ASP.NET authentication
• Requires Passport SDK installation
• ASP.NET wraps
• IPassportManager
• IPassportManager2
• IPassportCrypt
• More details at
• http//www.passport.com
• Passport support built into IIS 6

29
Forms-Based Auth

• Easy to implement
• ASP.NET provides redirection
• Steps
• Configure IIS to allow anonymous users
  (typically)
• Use SSL!
• Configure ASP.NET cookie authentication
• Write your login page

30
Forms authentication
31
Forms Auth Configuration
ltauthentication mode "Forms"gt ltforms
name".ASPXAUTH" loginUrl"login.aspx
" protection"All"
timeout"30" path"/"
/gt lt/authenticationgt
32
Authorization Strategies

• Windows Security and ACLs
• ACLs checked for Windows auth
• Independent of impersonation
• COM Roles
• URL Authorization
• Custom Authorization
• Windows .NET AuthZ Framework
• Explicit imperative/declarative checks

33
Using URL Authorization

• Example allow Admins or WebServiceUsers and
  deny all others
• Example deny anonymous users

lt!-- is all users, ? is anonymous users
--gt ltauthorizationgt ltallow verbs"POST"
Roles"Admins" /gt ltallow Roles"WebServiceUsers"
/gt ltdeny users"" /gt lt/authorizationgt
ltauthorizationgt ltdeny users"?"
/gt lt/authorizationgt
34
Custom security

• Handle appropriate event
• Application level (global.asax) or
• Http Module (implement IHttpModule)
• Authentication AuthenticateRequest
• Custom SOAP authentication
• Authorization AuthorizeRequest
• Implement per-request billing system
• Restrict access based on business rules

35
What are we to talk about?

• Security A-B-C
• Security on the client
• Evidences
• Policys
• Permissions
• Security on the server
• ASP.NET
• Security on the network
• Cryptography
• Web Service security (will be covered in next
  session)

36
Terminology

• Plaintext
• The stuff you want to secure, typically readable
  by humans (email) or computers (software, order)
• Ciphertext
• Unreadable, secure data that must be decrypted
• Key
• You must have it to encrypt or decrypt (or do
  both)
• Crypto-analysis
• Hacking it by using science
• Complexity Theory
• How hard is it and how long will it take to run a
  program

37
Cryptographic Ciphers

• Symmetric Cipher 1 Key
• Used for encryption and decryption
• Key is vulnerable if transmitted
• Does not support repudiation
• Examples
• Triple DES (64bit)
• AES (variable key size)

Text
Ciphertext
A
XX
38
Cryptography Ciphers

• Asymmetric Cipher non-matching keys
• One key for encryption
• One key for decryption
• Does not require exchange of keys
• Examples
• RSA (variable key size)

Text
Ciphertext
Text
A
A
XX
39
Digital Signatures

• Enables integrity and non-repudiation
• RSA, DSA or HMAC (symmetric key)
• Relies on Hashing
• Secure Hash Algorithm (SHA)
• SHA1 creates a 20 byte digest of any binary data
  (2160)

Public Key
RSA Private Key
Text
Signed Digest
SHA
Digest
xsd.
A
xsd.
xsd.
A
40
Cryptographic APIs

• Comprehensive cryptographic library
• Easy, unified, stream-based architecture
• System.Security.Cryptography
• Common algorithms
• Hashing SHA-1, SHA-256/-384/-512, MD5
• Asymmetric RSA, DSA
• Symmetric AES, TripleDES, DES, RC2
• MAC HMAC-SHA1, MACTripleDES
• Open extensible model (new algorithms)

41
Crypto Object Model
Symmetric Algorithm
AbstractBase Classes (only one shown)
TripleDES
Rijndael
RC2
Abstract Algorithm Classes
Algorithm Implementation Classes
TripleDESCrypto ServiceProvider (CryptoAPI)
Rijndael Managed (C)
RC2Crypto ServiceProvider
42
Sample Hashing RNGs

• Simple programming model
• Common functions accessible as single method
  calls on algorithm objects
• Runtime adaptation based on config system
• You choose the default implementation

Dim rng As RandomNumberGenerator
RandomNumberGenerator.Create() Dim bytes As
Byte() new Byte(128) rng.GetBytes(bytes)
Dim hash As SHA256 SHA256.Create() Dim digest
As Byte() hash.ComputeHash(inputData)
43
Encryption

• Instantiate the algorithm
• SymmetricAlgorithm alg SymmetricAlgorithm.Create
  (DES)
• Generate a key
• byte myNewKey alg.Key
• Encode your data
• string message "Top secret data..."
• byte plain Encoding.UTF8.GetBytes(message)
• Perform the encryption
• ICryptoTransform enc alg.CreateEncryptor()
• byte cipher
• cipher enc.TransformFinalBlock(plain, 0,
  plain.Length)

44
Decryption

• Instantiate the algorithm
• SymmetricAlgorithm alg SymmetricAlgorithm.Create
  (DES)
• Obtain the key
• alg.Key theKey
• Perform the decryption
• ICryptoTransform dec alg.CreateDecryptor()
• byte plain
• plain dec.TransformFinalBlock(cipher, 0,
  cipher.Length)
• Decode the data
• string plainText Encoding.UTF8.GetString(plain)

45
What have we talked about?

• Security A-B-C
• Security on the client
• Evidences
• Policys
• Permissions
• Security on the server
• ASP.NET
• Security on the network
• Cryptography

46
Recommended reading

• Applied Cryptography
• Bruce Schneier
• ISBN 0-4711-1709-9
• Writing Secure Code
• Michael Howard, David Leblanc
• ISBN 0-7356-1588-8
• The Code Book
• Simon Singh
• ISBN 0-3854-9532-3

47
(No Transcript)